Implement libas-safe, a library for extending AS-safety to all library functions

solb · solb · commit 12888df60d15 · 2019-05-06T21:19:55.000-04:00
It does this either by redirecting the signal handler to a separate copy of the library (if libgotcha doesn't treat the symbols as whitelisted), or else by deferring handling of the signal. This was tested against 97410c8:posix_safety/as.c built with -fpic -O2 -D_DEFAULT_SOURCE and a vanilla build of libgotcha revision a211a7b with the following symlinks: * ./libgotcha/libgotcha.a -> .../libgotcha/libgotcha.a * ./libgotcha.h -> .../libgotcha/libgotcha_api.h * ./libgotcha.mk -> .../libgotcha/libgotcha.mk * ./libgotcha_repl.h -> .../libgotcha/libgotcha_repl.h
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,7 @@
+/libgotcha.h
+/libgotcha.mk
+/libgotcha_repl.h
+
+*.a
+*.o
+*.so
diff --git a/Makefile b/Makefile
@@ -0,0 +1,16 @@
+CFLAGS   += -std=c99 -g -O2 -fpic -fno-optimize-sibling-calls -Wall -Wextra -Wpedantic
+CPPFLAGS += -D_DEFAULT_SOURCE
+
+-include libgotcha.mk
+
+.PHONY: all
+all: libas-safe.so
+
+libas-safe.so: libgotcha.h
+
+libgotcha.a: libgotcha/libgotcha.a
+	objcopy -Wsigaction --globalize-symbol libgotcha_sigaction --globalize-symbol libgotcha_pthread_sigmask --globalize-symbol libgotcha_sigaddset --globalize-symbol libgotcha_sigfillset $< $@
+
+.PHONY: clean
+clean:
+	$(RM) *.a *.o *.so
diff --git a/as-safe.c b/as-safe.c
@@ -0,0 +1,127 @@
+#include "libgotcha.h"
+#include "libgotcha_repl.h"
+
+#include <assert.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <threads.h>
+
+struct handler {
+	void (*handler)(int, siginfo_t *, void *);
+	sigset_t mask;
+};
+
+struct pending {
+	siginfo_t info;
+	sigset_t mask;
+};
+
+static struct handler *handlers;
+static int (*mainfunc)(int, char **, char **);
+static libgotcha_group_t nonsignal;
+static thread_local struct pending pending;
+static bool verbose;
+
+static int as_safe(int, char **, char **);
+#pragma weak libassafe_libc_start_main = __libc_start_main
+int __libc_start_main(int (*main)(int, char **, char **), int argc, char **argv, int (*init)(int, char **, char **), void (*fini)(void), void (*rtld_fini)(void), void *stack_end) {
+	mainfunc = main;
+	return __libc_start_main(as_safe, argc, argv, init, fini, rtld_fini, stack_end);
+}
+
+static void restorer(void);
+static int as_safe(int argc, char **argv, char **envp) {
+	if(getenv("LIBASSAFE_VERBOSE"))
+		verbose = true;
+
+	if(verbose) fputs("LIBAS-SAFE: as_safe() initializating...\n", stderr);
+	handlers = calloc(SIGRTMAX, sizeof *handlers);
+	libgotcha_group_thread_set(nonsignal = libgotcha_group_new());
+	libgotcha_shared_hook(restorer);
+	return mainfunc(argc, argv, envp);
+}
+
+static void stub(int, siginfo_t *, void *);
+int sigaction(int signum, const struct sigaction *act, struct sigaction *oldact) {
+	assert(signum >= 0);
+	assert(signum < SIGRTMAX);
+
+	struct sigaction sa;
+	struct handler backup;
+	if(act) {
+		if(verbose) fprintf(
+			stderr,
+			"LIBAS-SAFE: sigaction() installing new handler for signal %d\n",
+			signum);
+
+		struct handler *record = handlers + signum;
+		memcpy(&backup, record, sizeof backup);
+		memcpy(&sa, act, sizeof sa);
+		record->handler = sa.sa_sigaction;
+		sa.sa_sigaction = stub;
+		record->mask = sa.sa_mask;
+		libgotcha_sigfillset(&sa.sa_mask);
+
+		sa.sa_flags |= SA_SIGINFO;
+		if(sa.sa_flags & SA_NODEFER) {
+			sigdelset(&record->mask, signum);
+			sa.sa_flags &= ~SA_NODEFER;
+		} else
+			libgotcha_sigaddset(&record->mask, signum);
+
+		act = &sa;
+	}
+
+	int status = libgotcha_sigaction(signum, act, oldact);
+	if(status)
+		memcpy(handlers + signum, &backup, sizeof backup);
+	if(oldact && oldact->sa_sigaction == stub)
+		oldact->sa_sigaction = handlers[signum].handler;
+	return status;
+}
+
+static void stub(int no, siginfo_t *si, void *co) {
+	libgotcha_group_t group = libgotcha_group_thread_get();
+	siginfo_t extra = {
+		.si_signo = 0,
+	};
+	if(pending.info.si_signo) {
+		assert(pending.info.si_signo == no);
+
+		ucontext_t *uc = co;
+		memcpy(&extra, &pending.info, sizeof extra);
+		memcpy(&uc->uc_sigmask, &pending.mask, sizeof uc->uc_sigmask);
+		pending.info.si_signo = 0;
+	} else if(group == LIBGOTCHA_GROUP_SHARED) {
+		if(verbose) fprintf(
+			stderr,
+			"LIBAS-SAFE: stub() deferring handling of signal %d to after shared code\n",
+			no);
+
+		ucontext_t *uc = co;
+		memcpy(&pending.info, si, sizeof pending.info);
+		memcpy(&pending.mask, &uc->uc_sigmask, sizeof pending.mask);
+		libgotcha_sigfillset(&uc->uc_sigmask);
+		return;
+	}
+
+	struct handler *record = handlers + no;
+	libgotcha_pthread_sigmask(SIG_SETMASK, &record->mask, NULL);
+	libgotcha_group_thread_set(LIBGOTCHA_GROUP_SHARED);
+	if(extra.si_signo)
+		record->handler(no, &extra, co);
+	record->handler(no, si, co);
+	libgotcha_group_thread_set(group);
+}
+
+static void restorer(void) {
+	if(pending.info.si_signo) {
+		sigset_t full;
+		libgotcha_sigfillset(&full);
+		sigdelset(&full, pending.info.si_signo);
+		sigsuspend(&full);
+	}
+}
